Mozilla Foundation Security Advisory 2010-84

XSS hazard in multiple character encodings

Announced

December 9, 2010

Reporter

Yosuke Hasegawa, Masatoshi Kimura

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 3.5.16

Firefox 3.6.13

SeaMonkey 2.0.11

Description

Security researchers Yosuke Hasegawa
and Masatoshi Kimura reported that the x-mac-arabic,
x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS
attacks due to some characters being converted to angle brackets when
displayed by the rendering engine. Sites using these character
encodings would thus be potentially vulnerable to script injection
attacks if their script filtering code fails to strip out these
specific characters.